]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/ssh.nix
mermet: miniflux: fix LoadCredentialEncrypted= not supported by EnvironmentFile=
[sourcephile-nix.git] / hosts / losurdo / ssh.nix
1 { pkgs, lib, config, hosts, ... }:
2 {
3 services.openssh = {
4 openFirewall = true;
5 forwardX11 = true;
6 };
7 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
8 "host.key:${ssh/host.key.cred}"
9 ];
10 programs.ssh = {
11 extraConfig = ''
12 '';
13 };
14
15 boot.initrd.network.ssh = {
16 enable = true;
17 port = 2222;
18 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
19 hostKeys = [ "/root/initrd/ssh.key" ];
20 extraConfig = ''
21 '';
22 };
23
24 systemd.services.ssh-mermet-reverse = {
25 after = [ "network-online.target" ];
26 wantedBy = [ "multi-user.target" ];
27 serviceConfig = {
28 Type = "simple";
29 # Require services.openssh.gatewayPorts = "clientspecified";
30 # on the target.
31 ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
32 -o ServerAliveInterval=10 \
33 -o ExitOnForwardFailure=yes \
34 -R *:10022:localhost:22 \
35 ${hosts.mermet._module.args.ipv4}
36 '';
37 Restart = "always";
38 RestartSec = "5s";
39 };
40 };
41 services.upnpc.enable = true;
42 services.upnpc.redirections =
43 [
44 {
45 description = "SSH";
46 externalPort = 22;
47 protocol = "TCP";
48 duration = 30 * 60;
49 service.wantedBy = [ "sshd.service" ];
50 service.partOf = [ "sshd.service" ];
51 }
52 { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
53 { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
54 { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
55 { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
56 ] ++ [
57 {
58 description = "SSH (boot)";
59 externalPort = 2222;
60 protocol = "TCP";
61 duration = 0;
62 service.wantedBy = [ "sshd.service" ];
63 }
64 ];
65 }